Tor Browser 4.0.7 is released
Unfortunately, the 4.0.7 release has a bug that makes it think of itself as 4.0.6, causing an update loop. This version mismatch will also cause the incremental update to 4.0.8 to fail to properly apply. The browser will then download the full update at that point, which should succeed, but at the expense of both user delay and wasted Tor network bandwidth.
For this reason, we have decided to pull 4.0.7 from the website at the moment, and instead prepare 4.0.8 as soon as possible.
Thank you for your patience.
Tor Browser Project page and also from our distribution directory.
This release contains an update to the included Tor software, to fix two crash bugs. One bug affects only people using the bundled tor binary to run hidden services, and the other bug allows a malicious website or Tor exit node to crash the underlying tor client by inducing it to load a resource from a hidden service with a malformed descriptor. These bugs do not allow remote code execution, but because they can be used by arbitrary actors to perform a denial of service, we are issuing a security update to address them.
There will be no corresponding 4.5-alpha release for this fix, to allow us to focus on stabilizing that series for release in ~2 weeks.
Note to MacOS users: This is the last planned release that will run on 32 bit MacOS versions. Users of Mac OS 10.8 (Mountain Lion) and newer versions will be automatically updated to the 64 bit Tor Browser 4.5 when it is stabilized in April, and we expect this transition to be smooth for those users. However, the update process for 10.6 and 10.7 users will unfortunately not be automatic. For more details, see the original end-of-life blog post.
Here is the complete changelog since 4.0.6:
- All Platforms
- Update Tor to 0.2.5.12
- Update NoScript to 126.96.36.199